What is CVE-2025-8154?

CVE-2025-8154 is a medium-severity vulnerability in Wso2 Api_control_plane, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 5.3/10. Published 2026-05-11.

How severe is CVE-2025-8154?

Medium severity. CVSS v3 base score is 5.3 out of 10.

Vulnerability in Wso2 Api_control_plane

CVE-2025-8154

In Webhook API invocations, the component accepts user-supplied input for HTTP request headers without sufficient validation or sanitization, allowing these headers to be injected into HTTP responses. By exploiting this vulnerability, a m…

EPSS: 0.001 (17.6th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 5.3 (Medium). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N.

Affected products

Wso2 Api_control_plane
Wso2 Api_manager
Wso2 Traffic_manager
Wso2 Universal_gateway
Wso2 Api Control Plane — versions 4.5.0
Wso2 Api Manager — versions 0, 4.1.0, 4.2.0
Wso2 Carbon Api Gateway — versions 9.20.74, 9.28.116, 9.29.120
Wso2 Carbon Api Management Implementation — versions 9.20.74, 9.28.116, 9.29.120
Wso2 Traffic Manager — versions 4.5.0
Wso2 Universal Gateway — versions 4.5.0

Weakness classification (CWE)

CWE-74 — Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection)

References

ed10eef1-636d-4fbe-9993-6890dfa878f8 (vendor-advisory, Vendor Advisory)

Frequently asked questions

What is CVE-2025-8154?: CVE-2025-8154 is a medium-severity vulnerability in Wso2 Api_control_plane, classified under Improper Neutralization of Special Elements in Output Used by a Downstream Component (Injection). CVSS score: 5.3/10. Published 2026-05-11.
How severe is CVE-2025-8154?: Medium severity. CVSS v3 base score is 5.3 out of 10.